Login Sign Up

CVE-2025-4302

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

The Stop User Enumeration WordPress plugin before version 1.7.3 has an authentication bypass vulnerability. Attackers can bypass user enumeration protection by URL-encoding the REST API path, allowing them to retrieve WordPress user information without authentication. This affects WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • Stop User Enumeration WordPress plugin
Versions: All versions before 1.7.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin enabled. The plugin must be configured to block user enumeration via REST API.

📦 What is this software?

Stop User Enumeration by Fullworksplugins

View all CVEs affecting Stop User Enumeration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain complete user lists including usernames, IDs, and potentially email addresses, enabling targeted phishing campaigns, credential stuffing attacks, or reconnaissance for further exploitation.

🟠

Likely Case

Attackers harvest valid usernames for brute-force password attacks or gather intelligence about site administrators and users.

🟢

If Mitigated

User enumeration is prevented as intended, with only authorized users able to access user information through the REST API.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only URL-encoding the API endpoint path. The vulnerability is publicly documented with proof-of-concept details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.3

Vendor Advisory: https://wpscan.com/vulnerability/19f67d6e-4ffe-4126-ac42-fb23c5017a3e

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Stop User Enumeration' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.7.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Stop User Enumeration plugin until patched

wp plugin deactivate stop-user-enumeration

Block REST API user endpoint

linux

Use web server or firewall to block access to /wp-json/wp/v2/users/

# Apache: RewriteRule ^wp-json/wp/v2/users/ - [F,L]
# Nginx: location ~* ^/wp-json/wp/v2/users/ { return 403; }

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block URL-encoded requests to user enumeration endpoints
  • Disable WordPress REST API user endpoints entirely via functions.php or security plugin

🔍 How to Verify

Check if Vulnerable:

Attempt to access /wp-json/wp/v2/users/ with URL-encoded path (e.g., /wp-json/wp%2fv2%2fusers/) - if user data is returned without authentication, system is vulnerable.

Check Version:

wp plugin get stop-user-enumeration --field=version

Verify Fix Applied:

After update, repeat the same URL-encoded request - should return 403 or empty response instead of user data.

📡 Detection & Monitoring

Log Indicators:

  • Multiple 200 OK responses to URL-encoded /wp-json/wp/v2/users/ requests from unauthenticated users
  • Unusual spikes in requests to user REST endpoints

Network Indicators:

  • HTTP requests with URL-encoded paths to user enumeration endpoints
  • Patterns of sequential user ID queries

SIEM Query:

http.url:*wp-json%2fwp%2fv2%2fusers%2f AND http.status_code:200 AND NOT authenticated_user:*

📊 Metadata

CVE ID: CVE-2025-4302
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 0.93% exploit probability (75.7th percentile)
Published: July 17, 2025
Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON